3 posts from May 2014

05/22/2014

This month’s major data breach news comes courtesy of hackers who accessed eBay’s user database by using valid credentials pilfered from eBay employees. The hackers apparently had access to eBay’s entire database of 145 million active users during the months of February and March 2014. The information accessed included passwords in encrypted form, as well as names, email addresses, shipping addresses, and dates of birth all in plaintext.

eBay’s user database was apparently accessible to the hackers because they logged in using genuine eBay employee credentials. But why should that give the hackers unfettered access to the entire user database? Of course company employees may have valid reasons for accessing the user database, but eBay could have limited the access such that:

a separate password or two-factor authentication was required to gain entry to the database; and

the database was only accessible from whitelisted terminals

eBay’s IT department has a chance to address those issues, but the company’s public relations department hasn’t done too well thus far.

eBay posted a notice on its website regarding the breach, entitled “Important Password Update,” the full text of which is below.

In VDC’s opinion, eBay’s public response to the breach has missed the mark.

eBay’s notice informed users that their encrypted passwords might have been compromised, and instructed them to change the passwords. Since the passwords were encrypted using a “salted hash” technique, few if any actual passwords are likely to be decrypted. Nevertheless, it doesn’t hurt to tell users to change passwords, particularly if a user shares the same password across multiple websites. However, the notice failed to mention the other personal information (non-encrypted) that was compromised. Such personal information presents a risk that hackers could attempt identity theft, which is arguably a greater concern than just the compromise of one site’s password. In effect, eBay has warned users about the information that is probably still safe, and ignored the disclosure of information that is clearly unsafe. And by failing to mention the other personal data that was accessed, eBay is creating a false sense of security that users will be safe if they just change their passwords.

Password changes can help make eBay safer, but they don’t improve the security of users whose personal information has already been appropriated. Because disclosure of users’ personal information could lead to subsequent attempts at identity theft, eBay might need to offer up free credit monitoring service to its users, even though no credit card or other financial information was disclosed.

Users don’t necessarily care how safe and secure eBay is; they care how safe and secure their own personal information is. eBay’s response thus far indicates that the company doesn’t get the distinction.

Full text of eBay’s notice to users:

[Note several days after we posted this, eBay revised the text of its password update notice to include the fact that personal data beyond encrypted passwords had been compromised, although eBay still doesn't relate the implications of that to its members. The text below is eBay's original notice.]

Important Password Update

Keeping Our Buyers and Sellers Safe and Secure on eBay

On Wednesday, we announced that we are asking all eBay users to change their password. This is because of a cyberattack that compromised our eBay user database, which contained your encrypted password.

Because your password is encrypted (even we don’t know what it is), we believe your eBay account is secure. But we don’t want to take any chances. We take security on eBay very seriously, and we want to ensure that you feel safe and secure buying and selling on eBay. So we think it’s the right thing to do to have you change your password. And we want to remind you that it’s a good idea to always use different passwords for different sites and accounts. If you used your eBay password on other sites, we are encouraging you to change those passwords, too.

Here’s what we recommend you do the next time you visit eBay:

Take a moment to change your password. You can do this in the “My eBay” section under account settings. This will help further protect you; it’s always a good practice to periodically update your password. Millions of eBay users already have updated their passwords.

Remember to always use different passwords on different sites and accounts. So if you haven’t done this yet, take the time to do so.

Meanwhile, our team is committed to making eBay as safe and secure as possible. So we are looking at other ways to strengthen security on eBay. In the coming days and weeks we may be introducing new security features. We’ll keep you updated as we do.

Thanks for your support and cooperation. eBay is your marketplace, and we are committed to keeping it one of the world’s safest places to buy and sell.

Devin WenigPresident, eBay Marketplaces

VDC Research will be attending Innovate2014, IBM’s Technical Summit in Orlando, June 1-3, 2014. IBM has planned an exciting agenda for the conference highlighting continuous engineering, DevOps, and Innovation.

We are also pleased to announce Chris Rommel, Executive Vice President of M2M Embedded Technology is a speaker for an important panel discussion, “Best Practices for Agile Product Development”, to be held Monday, June 2. We encourage you to attend.

Best Practices for Agile Product Development discussion overview:

Agile methods are popular and effective in software development for complex products. But, the application of agile principles to the broader product development process offers the prospect of even greater business value through improved productivity and predictability and better management of change. This session presents a panel of several experts to discuss the challenges of extending agile beyond software processes. These experts will also address key approaches that can maximize the value for product development organizations.

Haven't decided yet if you're attending IBM Innovate2014? Please check out the Innovate2014 website for more information on the conference program, scheduled speakers, as well as information on companies that will be exhibiting. We hope to see you there.

05/16/2014

VDC just recently completed an in-depth analysis into the use and trends around Agile and DevOps methods in the embedded systems market. It is an exciting space with a number of dynamic changes underway as OEMs investigate new ways to improve the overall efficiency of systems development in the face of pressing time-to-market, process standard, and complexity challenges. We have a lot of compelling findings that demonstrate the growing use of Agile, DevOps, and other collaborative approaches across the embedded landscape.

As we dug deep into the data an interesting theme kept linking the findings…collaboration is contagious.

Challenges unique to the embedded market impeded early Agile adoption and, in many cases, will preclude full adherence to the methodology. Nevertheless, once iterative software development practices are successfully introduced, embedded engineering organizations are soon looking into additional ways of improving efficiency through expanding collaboration. Time and again, the initial taste seems to spur more interest.

Importance of scaling Agile within organization, by use of Agile

The same spirit of reflection and refinement of processes that are central principles in the Agile methodology are encouraging users to investigate new approaches like scaled Agile, cross-domain integration, and DevOps. Many organizations that introduced Agile on a limited basis are now focused on scaling it to more of their organization by implementing the processes more deeply in existing projects, and expanding use of Agile methods to more teams and projects.

More insight:

Findings from VDC’s 2014 Software and System Development survey helped guide the above analysis. This year, over 500 engineers from a wide range of industries provided invaluable insight into their development and tooling plans, preferences, and pain-points. The full data set from this extensive, global end-user survey is provided to clients of VDC’s Software and System Lifecycle Technology and Engineering Trends Analysis reports. For further investigation and analysis about these trends, please see our most recent report, Agile and DevOps for Embedded Systems, which is available now.